Florian Westphal [Tue, 22 Oct 2013 13:03:52 +0000 (15:03 +0200)]
ct: connlabel matching support
Takes advantage of the fact that the current maximum label storage area
is 128 bits, i.e. the dynamically allocated extension area in the
kernel will always fit into a nft register.
Currently this re-uses rt_symbol_table_init() to read connlabel.conf.
This works since the format is pretty much the same.
Patrick McHardy [Mon, 17 Feb 2014 14:06:44 +0000 (14:06 +0000)]
netlink: fix prefix expression handling
The prefix expression handling is full of bugs:
- netlink_gen_data() is used to construct the prefix mask from the full
prefix expression. This is both conceptually wrong, the prefix expression
is *not* data, and buggy, it only assumes network masks and thus only
handles big endian types.
- Prefix expression reconstruction doesn't check whether the mask is a
valid prefix and reconstructs crap otherwise. It doesn't reconstruct
prefixes for anything but network addresses. On top of that its
needlessly complicated, using the mpz values directly its a simple
matter of finding the sequence of 1's that extend up to the full width.
- Unnecessary cloning of expressions where a simple refcount increase would
suffice.
Patrick McHardy [Sun, 16 Feb 2014 22:45:19 +0000 (22:45 +0000)]
netlink_delinarize: convert *all* bitmask values into individual bit values
We're currently only converting bitmask types as direct argument to a
relational expression in the form of a flagcmp (expr & mask neq 0) back
into a list of bit values. This means expressions like:
tcp flags & (syn | ack) == syn | ack
won't be shown symbolically. Convert *all* bitmask values back to a sequence
of inclusive or expressions of the individual bits. In case of a flagcmp,
this sequence is further converted to a list (tcp flags syn,ack).
Patrick McHardy [Wed, 5 Feb 2014 19:03:40 +0000 (19:03 +0000)]
cmd: initialize cmd list and use list_splice_tail() for adding to command list
With incremental evaluation we're first evaluating the command before
adding it to the global command list, so the command's list_head is
uninitialized during evaluation. We need to initialize it to handle the
case that an implicit set declaration will prepend a command to the list.
Also list_splice_tail() needs to be used instead of list_add_tail() to
add the entire list of commands.
Patrick McHardy [Tue, 4 Feb 2014 08:09:27 +0000 (08:09 +0000)]
parser: evaluate commands immediately after parsing
We currently do parsing and evaluation in two seperate stages. This means
that if any error occurs during parsing, we won't evaluate the syntactical
correct commands and detect possible evaluation errors in them.
In order to improve error reporting, change this to evaluate every command
as soon as it is fully parsed.
With this in place, the ruleset can be fully validated and all errors
reported in one step:
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant
filter input tcp dport tcp dport
~~~~~~~~~~^^^^^^^^^
Patrick McHardy [Tue, 4 Feb 2014 08:09:27 +0000 (08:09 +0000)]
scanner: don't update location's line_offset for newlines
When reset_pos() is invoked, YY_USER_ACTION() has already advanced the
line offset to the next line. This causes errors for unexpected newlines
to incorrectly show the following line when reading from files.
Patrick McHardy [Tue, 4 Feb 2014 08:09:27 +0000 (08:09 +0000)]
evaluate: determine implicit relational op before RHS constant checks
The symbol for the relational op is shown in the error message. Since
OP_IMPLICIT doesn't have a symbol, (null) is shown. Fix by determining
the implicit op before checking for constants.
Error: Right hand side of relational expression ((null)) must be constant
=>
Error: Right hand side of relational expression (==) must be constant
Patrick McHardy [Tue, 21 Jan 2014 12:39:31 +0000 (12:39 +0000)]
cmd: add create command for tables and chains
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Patrick McHardy [Thu, 16 Jan 2014 20:01:56 +0000 (20:01 +0000)]
set: make set initializer parsable
If a set contains elements, the output is not parsable since the
elements = { ... } is not understood by the parser. Fix this and
also add support for creating constant sets (which only makes sense
when using an initializer).
Patrick McHardy [Thu, 16 Jan 2014 20:01:56 +0000 (20:01 +0000)]
set: make set flags output parsable
This patch fixes two problems:
- the output of "nft list table ..." is not parsable if sets are included
because the parser can't parse the flags.
- set flags can't be specified during set creation.
To fix this, the set output is changed to:
- not print each flag on a single line
- prefix the flags with "flags "
- only show the interval flag since all others are for internal use only
The parser is changed to parse the flags specified in a set declaration.
This allows to parse empty sets. The following patch will take care of
parsing sets that are already populated.
Replace => by : to make it easier for most shell users, as
> implies a redirection, let's avoid possible confusion that
may result if you forget to escape it.
This works fine if you don't forget to add space between the
key and the value. If you forget to add the space, depending
on the case, the scanner may recognize it correctly or process
it as a string.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Thu, 16 Jan 2014 18:12:06 +0000 (18:12 +0000)]
build: fix recursive parser.h inclusion
Ocassionally when regenerating the scanner or parser (not sure which),
recursive inclusion of the parser.h file occurs. The reason is that
bison doesn't generate a header sandwich to protect against this (*sigh*).
Patrick McHardy [Thu, 16 Jan 2014 16:54:18 +0000 (16:54 +0000)]
parser: use symbolic expressions for parsing keywords as protocol values
For "meta protocol" and the "meta nfproto" expressions, we need to be
able to parse "ip", "ip6", "vlan" and "arp" as protocol values.
Since the interpretation depends on the LHS of the relaltional expression,
we need to use symbolic expressions instead of constants to defer parsing
to the evaluation phase.
Patrick McHardy [Thu, 16 Jan 2014 17:11:12 +0000 (17:11 +0000)]
segtree: fix decomposition of unclosed intervals
If intervals are directly adjacent or extend to the right end of the dimension,
they are not closed by a EXPR_F_INTERVAL_END entry. This leads to multiple
errors when decomposing the intervals:
- the last unclosed interval is not shown at all.
- if a range is unclosed and the set is a map, the starting point of the
next interval is set to the data, not the key, leading to nonsensical
output.
- if a prefix is unclosed, the interval is assumed to be a prefix as well
and the same starting point is kept. This makes sense for cases like
192.168.0.0/24, 192.168.0.0/16, but leads to hard to understand
results if the next interval is not representable as a prefix.
Fix this by doing two things:
- add an EXPR_F_INTERVAL_END element for each unclosed interval during
preprocessing.
- process the final unclosed interval extending to the right end of the
dimension, if present.
Patrick McHardy [Thu, 16 Jan 2014 17:11:12 +0000 (17:11 +0000)]
segtree: only use prefix expressions for ranges for selected datatypes
It is uncommon to represent f.i. port number ranges as prefix expressions.
Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred
representation of a range is a prefix and use it for segtree decomposition
to decide whether to use a range or prefix expression.
The ipaddr, ip6addr, mark and realm datatypes are changed to include the
DTYPE_F_PREFIX flag.
This fixes completely unreadable output in cases where the ranges are
representable as prefixes, f.i. in case of port number:
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
scanner: rename address selector from 'eth' to 'ether'
eth may easily occur when using ifname masks. This could be also
fixed by interpreting 'eth' as a simple string in the parser but
I think this selector also looks more similar to what we use in
tcpdump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Many systems (for example Debian) don't recognice `#!nft -f' as a
valid interpreter.
A short way to handle this is to provide the full path to the interpreter
in the shebang.
That is what this patch does: update the shebang's path during installation.
For example, if you are installing under /usr/local, the shebang becomes:
#!/usr/local/sbin/nft -f
If using --prefix=/, then:
#!/sbin/nft -f
NOTE: If the shebang in source files are changed in a future, this sed script
should be updated as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Kevin Fenzi [Mon, 13 Jan 2014 06:36:45 +0000 (06:36 +0000)]
nftables: drop hard coded install using root user owner and group
Packaging systems build as a non priv user, so can't install as root. Users
installing from source can 'sudo make install' or run 'make install' as root
Signed-off-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
So the problem is not related to datatypes at all and generic type
checking works perfectly fine:
<cmdline>:1:52-57: Error: datatype mismatch, expected Ethernet protocol, expression has type Internet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
~~~~~~~~~~~~~ ^^^^^^
Patrick McHardy [Fri, 10 Jan 2014 09:28:37 +0000 (09:28 +0000)]
nftables: shorten "could not process rule in batch" message
Remove the "in batch" part, it makes most messages exceed a single line, the
user doesn't care about this and we process even single rules in "batches".
Patrick McHardy [Thu, 9 Jan 2014 21:59:29 +0000 (21:59 +0000)]
netlink_delinearize: fix compiler warning
src/netlink_delinearize.c: In function ‘meta_match_postprocess’:
src/netlink_delinearize.c:660:3: warning: passing argument 1 of ‘expr->left->ops->pctx_update’ from incompatible pointer type [enabled by default]
src/netlink_delinearize.c:660:3: note: expected ‘struct proto_ctx *’ but argument is of type ‘struct rule_pp_ctx *’
Patrick McHardy [Thu, 9 Jan 2014 18:54:02 +0000 (18:54 +0000)]
nftables: fix supression of "permission denied" errors
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
meta: add l4proto support
Add support for the meta l4proto type. This is used in the inet table to
match on the transport layer protocol without requiring the network layer
protocol to be known, allowing to use transport header matches that apply
to both IPv4 and IPv6.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
meta: add nfproto support
Add support for the meta nfproto type, which refers to the AF from the
netfilter hook ops. This is needed to get the actual family of a packet
in the dummy NFPROTO_INET family.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
proto: add support for meta templates
The following two patches will add two new meta expression types that are
used as dependencies in the inet table. To reuse the existing dependency
generation code, add a slightly hackish way to specify meta expressions
as payload dependencies.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
nftables: add support for the "inet" family
Add support for the mixed IPv4/IPv6 "inet" family. This mainly consist
of adding the "inet" <-> NFPROTO_INET mapping in the parser and netlink
support functions.
Additionally add the definitions for the inet filter table.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
ct expr: protocol context updates and dynamic typing
Include the protocols defined through relational ct expressions in the
protocol context and use the protocol context to dynamically determine
the types of network and transport layer ct expression types.
Patrick McHardy [Wed, 8 Jan 2014 13:02:15 +0000 (13:02 +0000)]
nftables: generic procotol contexts
Currently the context of higher layer protocols is specific to payload
expressions with some special cases for meta IIFTYPE expressions. This
approach has a few shortcomings, concretely there are more expression
types which define upper layer protocols like the ct expression and two
upcoming new types for the meta expression.
Replace the payload context by a generic protocol context to deal with
this. This patch just splits off the requires parts from the payload
expression without any functional changes, the following patches will
add further functionality for other expressions.
projects / thirdparty / nftables.git / log
